1. Field of the Invention
This invention relates generally to authentication of a remote electronic device, and more specifically, to a method and apparatus for authenticating via information specific to the device's physical location within a structure.
2. Description of the Related Art
Data Center Security Services (DCSS), often used in conjunction with cloud computing frameworks, enables organizations to add location and proximity verification to a multi-factor trust chain, strengthening and simplifying security from any protocol, system, technology or location. Geo-location, signal triangulation, and IP address lookup have all been used in some fashion to enable location-based policy decisions.
While these technologies continue to have application in areas such as enforcement of access rules to licensed content or low-level system security controls, the limitations and vulnerabilities in these technologies make them a less than ideal choice in protecting areas such as data centers, critical infrastructure and other highly sensitive information and services. However, these location technologies have serious limitations, such as: being subject to spoofing, limited ability to operate within buildings, and a high degree of error.
Security and privacy concerns on unrestricted workload migration, and the guarantee of the individual workloads' segregation within a trusted compute pool, are major concerns in today's cloud computing framework. The fear of workloads leakage or interference in a shared cloud computing environment is even more pronounced when the trusted compute pool is distributed across countries with different judicial, regulations, and data security and privacy laws.
Therefore, the launch, execution and later movement of workloads from cloud servers as a function of the government or corporate policies may need to be restricted based on the servers' pool geolocation. A common practice is to only use cloud servers that are physically located within the same trusted pool and the same country, taking advantage of the trusted pools of compute and, if possible, the same data center.
The use of such public and private networks has fundamentally altered the manner in which business enterprises and government agencies communicate and conduct business. For example, the Internet, intranets and extranets are used to store, analyze and transmit information between and within organizations, and permit interactive, local, national or global communication on a real-time basis. Moreover, these networks are now used for electronic business-to-customer retail commerce and for electronic business-to-business commerce of all types.
In order to achieve its full potential, however, e commerce must overcome numerous security and related issues, including concerns relating to hacker attacks, merchant impersonation, data confidentiality and integrity, fraud, and transaction repudiation. Key to all of these problems is the need to authenticate a user's identity in a manner that is extremely difficult or impossible to defeat.
For example, to improve the confidentiality of communications and commerce over networks, public key infrastructure (“PKI”) encryption systems have been developed. Using PKI encryption, digital messages are encrypted and decrypted using ciphers or keys. A conventional public and private key pair includes a public key and a private key. Each user of the system has a public key and a private key and must know the public key of the intended recipients of its messages. In general, a message is encrypted and sent by a sender using the recipient's public key and is then received and decoded by the recipient using his private key.
For example two network computer users, Alice and Bob, each have their own public and private key pair. The private keys are secret numbers to which only the owner has access. In general each public is generated using the following formula:Gx mod P,  (1)
where G and P are large prime numbers and x is the user's private key. In this manner, eavesdroppers would have great difficulty determining x even if the values of G and P are known. Hence, the public keys can be broadly disseminated without revealing the related private key. For example, Bob and Alice provide their public keys to each other prior to initiation of encrypted communication.
Thereafter, whenever encrypted communication is to occur, the sender utilizes their private key in conjunction with the recipient's public key to encrypt the data being sent. Upon receipt, the recipient decrypts the data using the recipient's private key. For example, when Alice wishes to send Bob an encrypted message, Alice encrypts the message using her private key in conjunction with Bob's public key. Upon receipt, Bob decrypts the message using his private key.
PKI systems attempt to provide a high level of security and confidentiality because messages can be decoded only by persons having the recipient's private key. However, it is well known in the industry that a weakness of PKI technology is its susceptibility to the “man-in-the-middle” attack.
For example, assume a new person, Cindy, enters the example as a middleman. As before, Alice has a public and private key pair and Bob has a public and private key pair. In addition, Cindy, the middleman, has a public and private key pair. If Cindy can intercept a transmission between Bob and Alice, she can trick them into using her public key. In this attack, the attacker intercepts the transmission of a public key and replaces it with the attacker's false key, thereby effectively replacing the true sender as the trusted party. This enables the attacker to send, receive and decode messages intended for the original legitimate user.
For example, during a “man-in-the-middle” attack, Cindy intercepts Alice's public key and replaces it with Cindy's public key. Similarly, Cindy intercepts Bob's public key and replaces it with Cindy's public key. Bob and Alice each believe they have each other's public key, however, they actually have Cindy's public key. Later, during encrypted transmissions, both Alice and Bob unknowingly use Cindy's public key in conjunction with their respective private keys to encrypt messages to each other, which are actually intercepted by Cindy. Cindy can decrypt the messages using her private key, and further, re-encrypt the messages using Cindy's private key and the proper recipient's public key.
Alternatively, an attacker can also submit false public key entries to certificate managers and effectively masquerade as another person. The implementation and use of PKI technology over remote sites without independent verification of identity poses many risks and must be used judiciously.
As described above, PKI encryption systems do not provide assurance as to the authenticity of the sender. An attempt has been made to address this problem through use of digital certification systems that use public and private keys to create special files, or digital certificates or signatures. The digital certificates are encoded using a sender's private key and, upon receipt, decoded by the recipient using a copy of the sender's public key obtained from a remote trusted administrator. For example, a certification authority (CA), which confirms the identity of the sender through transmissions over the Internet or other network, can be used to disseminate public keys.
Certifying authorities generally are either public or private. Public certifying authorities are independent third parties that issue digital certificates for use in Internet applications, after conducting due diligence as to the identity of the subscriber. Private certifying authorities are entities that issue their own digital certificates, often to closed communities of users, such as customers or employees, for use in Internet, intranet, extranet or other applications.
However, the Certifying Authority approach has numerous flaws and loopholes. For example, it is well known in the PKI industry that a person can create a key pair and claim to be someone else. By inserting an unauthorized public key in a transaction or on a public database, the masquerading party creates ambiguity and can receive encrypted files intended for the person he is impersonating. This flaw, combined with a lack of location and apparatus ID information, makes detection of the identity deception extremely difficult.
Remote certifying authority technologies are fundamentally self-limiting. As explained above, remote certifying authorities use multiple transmissions over the Internet to receive, certify, and then deliver digital certificates. There are at least three Internet transmissions of information for each digital certificate created, including the original request for a certificate, the delivery of a certificate to the initiator, and the transmission of the original document and certificate to the final intended recipient. Moreover, should the recipient want to certify his receipt, three additional transmissions must occur. As more users rely upon remote certifying authorities for digital certificates, the demand for Internet bandwidth will increase geometrically, ultimately slowing the system down. The more the system is used, the slower it will become, causing users to turn away from CA technology. Due to this self-limiting property, it is unlikely that remote certifying authority technologies will ever become the universal standard for identity authentication.
Moreover, revocation of privileges and identity authentication are not immediate using CA technology. Since libraries of public keys are storied in multiple databases that reside on the servers of multiple Certifying Authorities, a significant delay exists between the time that a service elects to revoke key privileges and the time that the revocation information has fully propagated to all possible public key databases and servers. More and more large organizations are recognizing that the maintenance of current information about authorized and unauthorized personnel across multiple remote CA's is a daunting task, which is further complicated by the fact that a person whose credentials have been revoked may continue to have access privileges until the revocation propagation is complete. This raises security concerns about sensitive data being exposed to dismissed or disgruntled employees whose credentials have been revoked. In the today's CA system, those employees have measurable time in which they may continue to access sensitive information against the will of their employer.
Commercial applications have a need for a verifiable means to demonstrate the occurrence of a particular e-commerce transaction or Internet communication, in order to reduce the risk of fraud or repudiation of a transaction or communication by the parties. This need is present in the case of existing e-commerce applications, and will increase as e-commerce expands with the offering of additional software packages over the Internet through application service providers (ASPs) and the offering of additional material that is copyright protected (e.g., CD quality sound, video and images.)
A key to continuing e-commerce growth is an incontestable witness to a connection, download, file-creation or transmission that will create security of audit trails and transaction records. The common elements required to solve these problems include time and authenticated user location. Although it is necessary to record file activity on the receiving computer system, non-repudiation of a transaction requires recordation of the same file activity on the sender's computer system as well. Independent witnessing of time and location of events provides this non-repudiation.
Existing Remote Certifying Authorities attempt to identify both a specific document and the signer of the document, but these technologies cannot identify the exact time when a document or signature was created (as distinguished from when a document is received) because the time in a computer can be altered. Moreover, remote certification with a CA over the Internet or other network requires delay and transmission time, thereby preventing exact time confirmation. Existing attempts to deal with the problem of real-time verification are not effective because assurance is given only as to the time of document receipt, not creation.
A number of attempts have been made to increase system security in the prior art. The following is a list of prior art disclosures that provide some form of system security. However, as will be seen, none of the disclosures provides a level of security currently needed to ensure proper protection of today's highly sensitive transaction data.
Hissle et. al, in PCT publication WO 97009802, describe a method which the timestamp for a document is authenticated using a remote source of time such as GPS. Since the GPS satellite system has an independent and redundant source of time and date, the remote time can be compared to the local system time as a means of authenticating the system time and therefore the time of creation of a document. The external and local times are then compared and if the difference exceeds a preset range, the internal clock is updated. The disclosure further describes the creation of a digital timestamp or signature in which the authenticated time is combined with a summary of the file and the processor ID to provide authentication of the file's creation time. The concern here is that the system does not include the location of the file at its time of creation nor the identity of the user.
Murphy, in U.S. Pat. No. 5,640,452, discloses a method in which the location of a decryption chip is employed to restrict access to a broadcast signal. The location is determined locally by a GPS receiver and is compared against the authorized location set at the time of installation. For example, a digital satellite receiver dish could employ this technology to assure that clones of the decryption chip will not operate at any location other than that originally licensed, since their location will be incorrect. This technology does not authenticate the user in any way, nor does it authenticate the GPS location through any independent means. It further suffers from the fact that since the location detector sends an enabling signal to the decryption chip, the system will likely be defeated by insertion of the proper enabling signal, thereby bypassing the location requirement.
Loomis et. al., in U.S. Pat. No. 6,092,193, disclose a method for authenticating accumulated instrument data in which a summary of the data sampled at pre-set times are compiled in a sequential fashion and encrypted each time the total exceeds a pre-set value. By comparing the decrypted totals to the current total of the data in memory, alterations to the data can be detected and therefore declared invalid. The disclosure does not employ location, nor does it authenticate the user in any way in order to control access.
Schipper et. al., in U.S. Pat. No. 5,754,657, describe a process by which a message source is authenticated by its location. In this patent, the inventors employ a process by which the source of the message receives its location using GPS and appends a portion of that raw signal to the data. Part or all of the combined message can be encrypted. The signal is decrypted upon receipt, and the receiver uses the raw GPS signals to determine whether or not the source resides at its pre-authorized location. Unfortunately, a synthesized or pre-recorded GPS signal stream could be employed to facilitate masquerading by an unauthorized source.
In U.S. Pat. No. 5,757,916, MacDoran et. al. disclose a technique by which the raw satellite signals from a source computer are transmitted to a remote server that requires authentication. The MacDoran disclosure further employs a second source computer that also sends its raw GPS signals to the server. The server uses the raw signals from both sources to calculate their respective locations, which are compared against locations stored in the profiles for the two sources. In addition, a differential location vector is calculated from the raw signals, and this differential vector is also compared against the profiles to determine that it is consistent with the two authorized locations. In principle, since the satellites are continually moving and the calculations are performed on signals from two nearby locations, spoofing of the original source signal would be difficult. This system introduces the additional complication that an authenticated third party (the second source) must be on-line, receiving signals, and available for transmission in order to authenticate the first source. Availability of authentication and privacy of the two sources are concerns that surface here.
In view of the foregoing, there exists a need for enhanced authentication of the identity of a person initiating an electronic transaction, electronic file, document, or accessing an electronic file, document, or database. In order to avoid opportunities for interception, masquerading, “man-in-the-middle” attacks, and other forms of electronic fraud, there is also a need that such authentication not require any transmission of information to a remote third party, commonly referred to as “remote certifying authorities.” Furthermore, such authentication should preferably occur on a real-time basis, at the time of the transaction, file creation, or data access. Moreover, such authentication should preferably include location information that can be independently certified.